This repository has been archived by the owner on Feb 7, 2021. It is now read-only.
[master] Send CORS headers to allow cross site requests #129
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
brandonwamboldt
changed the title
|
Thanks for the PR! I've merged it with some minor changes. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds CORS headers to all responses so that HTML tools (e.g. dashboards) can be built that don't need to be served from the same domain as Varnish Agent, which is very useful in situations with multiple varnish servers or if you want to host your tools with something like Nginx/Apache (so you have access to FastCGI languages for example).
This will allow cross-site HTTP requests from ANY domain, which normally would be a security risk in an application like this where you have destructive capabilities. However, Varnish Agent forces you to use HTTP basic authentication, so that risk is mitigated. An attacker can only perform a cross-site request if they know the host, port, username, and password for varnish agent, at which point you have larger issues.
There is no way from the browser sandbox for a script to send a request without hard coding the credentials into the JavaScript, unless it's on the same domain (in which case this PR changes nothing).
I'm happy to answer any questions about this.